User Added to Privileged Group in Active Directory

Author: Elastic, Skoetting
Source: upstream

Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation, `T1098.007` Account Manipulation: Additional Local or Domain Groups
Privilege Escalation	`T1098` Account Manipulation, `T1098.007` Account Manipulation: Additional Local or Domain Groups

Event coverage

Provider	Event ID	Title
Security-Auditing	4728	A member was added to a security-enabled global group.
Security-Auditing	4732	A member was added to a security-enabled local group.
Security-Auditing	4756	A member was added to a security-enabled universal group.

Stages and Predicates

Stage 1: `eql:iam`

((group.id:"S-1-5-21*" and group.name:"Admin*") or group.id:"S-1-5-21-*-544") and event.action:"added-member-to-group"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.action`	eq	`added-member-to-group`
`group.id`	wildcard	`S-1-5-21` `S-1-5-21--1101` `S-1-5-21--1102` `S-1-5-21--512` `S-1-5-21--518` `S-1-5-21--519` `S-1-5-21--544` `S-1-5-21--548` `S-1-5-21--549` `S-1-5-21--550` `S-1-5-21-*-551`
`group.name`	wildcard	`Account Operators` `Admin*` `Backup Admins` `DnsAdmins` `Domain Admins` `Enterprise Admins` `Exchange Organization Administrators` `Print Operators` `Schema Admins` `Server Operators`

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

A Member Was Added to a Security-Enabled Global Group [sigma]
Add or Remove Computer from DC [sigma]
Addition of SID History to Active Directory Object [sigma]
Detect New Local Admin account [splunk]
Windows AD Cross Domain SID History Addition [splunk]
Windows AD Privileged Account SID History Addition [splunk]
Windows AD Same Domain SID History Addition [splunk]
Windows Increase in User Modification Activity [splunk]

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.

Windows Increase in User Modification Activity [splunk]